1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 12:54:53 -05:00
forgejo/tests/integration/api_twofa_test.go
Gusted a8c61532d2
feat: migrate TOTP secrets to keying
- Currently the TOTP secrets are stored using the `secrets` module with
as key the MD5 hash of the Secretkey, the `secrets` module uses general
bad practices. This patch migrates the secrets to use the `keying`
module (#5041) which is easier to use and use better practices to store
secrets in databases.
- Migration test added.
- Remove the Forgejo migration databases, and let the gitea migration
databases also run forgejo migration databases. This is required as the
Forgejo migration is now also touching tables that the forgejo migration
didn't create itself.
2024-11-27 00:34:16 +01:00

81 lines
2.1 KiB
Go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
"time"
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/tests"
"github.com/pquerna/otp/totp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestAPITwoFactor(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 16})
req := NewRequest(t, "GET", "/api/v1/user").
AddBasicAuth(user.Name)
MakeRequest(t, req, http.StatusOK)
otpKey, err := totp.Generate(totp.GenerateOpts{
SecretSize: 40,
Issuer: "gitea-test",
AccountName: user.Name,
})
require.NoError(t, err)
tfa := &auth_model.TwoFactor{
UID: user.ID,
}
require.NoError(t, auth_model.NewTwoFactor(db.DefaultContext, tfa, otpKey.Secret()))
req = NewRequest(t, "GET", "/api/v1/user").
AddBasicAuth(user.Name)
MakeRequest(t, req, http.StatusUnauthorized)
passcode, err := totp.GenerateCode(otpKey.Secret(), time.Now())
require.NoError(t, err)
req = NewRequest(t, "GET", "/api/v1/user").
AddBasicAuth(user.Name)
req.Header.Set("X-Gitea-OTP", passcode)
MakeRequest(t, req, http.StatusOK)
req = NewRequestf(t, "GET", "/api/v1/user").
AddBasicAuth(user.Name)
req.Header.Set("X-Forgejo-OTP", passcode)
MakeRequest(t, req, http.StatusOK)
}
func TestAPIWebAuthn(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 32})
unittest.AssertExistsAndLoadBean(t, &auth_model.WebAuthnCredential{UserID: user.ID})
req := NewRequest(t, "GET", "/api/v1/user")
req.SetBasicAuth(user.Name, "notpassword")
resp := MakeRequest(t, req, http.StatusUnauthorized)
type userResponse struct {
Message string `json:"message"`
}
var userParsed userResponse
DecodeJSON(t, resp, &userParsed)
assert.EqualValues(t, "Basic authorization is not allowed while having security keys enrolled", userParsed.Message)
}